Bungled FoI request led to Council data breach

A Scottish council has been ticked off by the Information Commissioner after a bungled Freedom of Information (FoI) request led to sensitive data on a large number of the authority’s employees being posted to a website.

ICO reads riot act to Dumfries and Galloway over web spreadsheet

Email this to a friend

Characters remaining:

What is A + B?

A Scottish council has been ticked off by the Information Commissioner after a bungled Freedom of Information (FoI) request led to sensitive data on a large number of the authority's employees being posted to a website.

The breach of the Data Protection Act happened in March this year after Dumfries and Galloway Council responded to a request under FoI (Scotland) legislation by publishing a spreadsheet containing the names, dates of birth, salary details and periods of service of 887 current and former employees.

The posting of the sensitive data went unnoticed until June when the Council received complaints from a Trade Union.

After conducting an internal audit, the Council has now undertaken to address any weaknesses found by January 2012.

The case underlines how confusion over two pieces of legislation - Freedom of Information and the Data Protection Act - can lead to problems. The law surrounding the handling of data can be hard for employees to understand given the public's legitimate right to know some of the published information.

"Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals' privacy rights," said the ICO's assistant commissioner for Scotland, Ken Macdonald.

"Procedures clearly went wrong in this case and I'm pleased that the council is reviewing its practices in light of the lessons that have been learned," he said.